Risk in Context

Five Reasons Why Educational Institutions Are Prime Targets for Cyber-Attacks

Fact: Academia ranks in the top three industries that are most susceptible to cyber risk, according to security firm Kroll. Why? Simply put, the networks at educational institutions house the type of information that hackers covet, and, given the open academic environment, those networks tend to be easier to penetrate.

It’s personal. As much as any other type of organization, the networks at universities contain data that is valuable to cyber thieves, including Social Security numbers, credit card numbers, and medical information for current and former students, employees, donors, trustees, and board members.

Hither and yon. Personal data breaches are particularly challenging for higher education organizations because the individuals whose information is at risk may reside outside home campus, in numerous states, and even in international branch campuses, further complicating compliance with breach notification laws.

Multiple entry points. Educational institutions pride themselves on promoting an open exchange of ideas to foster online as well as in-person learning. Their computer networks reflect that open environment — often to a fault. The typical college or university serves a wide range of users on its network, including students, faculty, administrators, alumni, corporate partners, and third-party vendors. All access the network 24/7/365, often via devices that may not be monitored or that have inadequate intrusion detection systems. The result: multiple potential entry points.

Social insecurity. Hundreds if not thousands of smartphone-tapping students use a college’s network to access social media sites and texting platforms. Institutions have generally not kept pace with the ever-evolving technological and cyber risk factors inherent in such sites. Moreover, many schools lack social media policies that establish accepted standards for the sharing of proprietary information and intellectual property.

The downside of democracy. The typical college IT network is decentralized by design. In many cases, individual departments may even use their own, discipline-specific networks, software, and technologies. While democratization is a bedrock tenet of most institutions’ charters, the concept does not foster top-notch cyber security.

One reason that educational institutions’ vulnerability to cyber risk is so significant is because the stakes are so high in terms of liability exposure. Data breaches can quickly turn into hot-button, high-visibility problems: identity theft, electronic stalking, hate mail, health privacy (Health Insurance Portability and Accountability Act) and intellectual property (first- and third-party) breaches, to name a few.

With those and other liability risks in play, educational institutions are engaging in professional, comprehensive assessments of their IT networks in general, and their cyber risk exposures in particular. The investment is well worth it.